Endpoints are often the weakest link in the security chain, and legacy antivirus solutions are no longer enough to defend against modern threats, including zero day, evasive and fileless malware. Organizations of all sizes are adopting endpoint protection technology that provides multiple levels of protection for endpoints.
In this article I’ll cover the basics of endpoint protection, and show three case studies of organizations that successfully implemented endpoint protection solutions. I hope this will provide a concrete picture of what is involved in implementing endpoint protection, and the benefits you can hope to achieve.
What Is Endpoint Protection?
Endpoint protection is a category of security solutions used to protect and protect endpoints, such as servers, employee workstations and mobile devices, from compromise or damage due to malicious attack or human error.
It has long been understood that organizations must deploy antivirus on every endpoint. However, legacy antivirus solutions are not enough to defend endpoints against a modern threat landscape. Endpoint protection solutions include antivirus, but add additional security layers, such as application whitelisting and blacklisting, content filtering, personal firewall, and endpoint detection and response (EDR).
Endpoint Protection in the Modern SOC
Endpoints are a prime target for attackers in virtually all organizations. Attackers can use unprotected endpoints to launch malware attacks, steal data, move laterally to control other resources on the network, and disrupt key business processes.
Over the years, malware and attack methods have become increasingly sophisticated. Attackers are using social engineering, zero day attacks, evasive and fileless malware, and other threat vectors to overcome traditional security defenses. These attempts must be countered by an organized, defensive response.
Endpoint protection plays an important role in strengthening the security of the entire network, by ensuring security operation centers (SOC) have visibility over endpoints, preventing attacks directly on endpoint devices, and enabling detection and mitigation of sophisticated attacks.
Endpoint Protection: 3 Case Studies
Let’s review case studies published by endpoint protection vendors, illustrating how three organizations implemented endpoint security solutions: Hitachi Consulting, Sayfol International School, and Noris Network AG (click the links to read the full case studies, published by Sentinel One and Sophos; their content is summarized below).
While these case studies are vendor-published and are biased, they can shed light on the specific needs of endpoint protection addresses, features used by real-life organizations, and the problems endpoint protection can solve.
Hitachi Consulting helps organizations manage digital transformation projects. Its IT systems serve 6,500 users around the world.
Hitachi Consulting performs digital projects for some of the world’s largest organizations. Due to its high profile projects, it is critical to ensure environments are secure, because any attack can impact Hitachi, its customers, and a wide ecosystem of partners.
Hitachi IT leadership realized that endpoints are a weak point in their security posture—which previously were only protected by legacy antivirus. They identified that the main threats facing endpoints were zero-day exploits, malware, ransomware, and unknown attacks.
The solution would need to support 6000 endpoints with Windows versions dating back to XP, Linux version 10+, and Apple macOS.
Hitachi Consulting team chose SentinelOne’s agent-based Endpoint Protection Platform (EPP), deploying it across all its endpoints. An initial benefit of the solution is that Hitachi security staff gained real-time visibility into endpoints, and the ability to conduct forensic investigation when security incidents are detected.
Hitachi evaluated SentinelOne on several dimensions:
- Reliability of threat prevention—Hitachi searched for a solution that would be able to reliably address unknown malware and ransomware. The SentinelOne solution provides several AI engines, leveraging behavioral analysis to detect unknown threats. It can detect and block file-based malware, fileless malware, weaponized media and documents, and lateral movement tactics.
- Maintenance efforts—Hitachi required a solution that does not require ongoing maintenance by security staff. SentinelOne was autonomous, able to provide value from day one without upkeep.
- Automated response—Hitachi required a solution that would be able to automatically mitigate threats at the device level, before infections spread to the rest of the network. SentinelOne provides automated responses to discovered threats, including isolating infected endpoints from the network, and rolling them back to a known good state.
- Endpoint performance impact—legacy antivirus scans needed to be run periodically, slowing down end-user devices. SentinelOne performs real-time analysis of threats when a suspicious indicator is discovered, minimizing the impact on user productivity.
Sayfol International School
Sayfol International School is an academic institute in Kuala Lumpur, serving over 2,000 students from 60 countries.
Sayfol has a small IT team, responsible for a variety of systems including student portals, labs and faculty workstations, with no dedicated security staff. The organization faces fundamental security challenges including:
- Use of legacy antivirus software with limited features and unreliable scheduling of scans—the solution failed to run scans on some devices, and also failed to detect some threats, resulting in recurring malware infections that spread throughout the network.
- USB drives were a major risk—these were commonly used by students, and served as a vector for spreading malware, because endpoints were not hermetically scanned.
- Malware spread beyond workstations to other equipment on the network, including CCTVs.
- There was an ongoing need to format and reinstall infected machines, and in many cases infections recurred.
Sayfol’s IT team realized legacy antivirus was not sufficient for its needs, and when the school expanded its IT infrastructure, it switched to a full endpoint protection platform—Sophos Intercept X and Central Endpoint Advanced. The organization currently uses 68 licenses of the solution.
Sayfol primarily uses the following capabilities of the Sophos endpoint protection solution:
- Peripheral control, managing access to USB drives and mobile devices and preventing infected files from being copied to the organization’s endpoints.
- Content filtering, preventing users from accessing malicious URLs.
- Scanning Internet connections to block download of threats in real time.
- Detection and removal of known and unknown threats.
- Applying central security policies to prevent infection of other machines.
The IT team reports that the Sophos solution reduced IT issues on the corporate network by as much as 90%. There is no longer a need to manually reformat and reinstall endpoints. Complaints of slowness and lag, which were previously caused by malware infections, are now a rare occurrence. An unexpected benefit was that bandwidth usage improved—probably due to elimination of malicious network communication by malware on endpoints.
Noris Network AG
Noris Network AG is a German IT services company serving clients like Adidas, Puma, Küchen Quelle, and Consorsbank. It focuses on IT outsourcing, managed services, cloud services and colocation. The company maintains its own high-performance communication backbone and operates several high-security data centers. These include the award-winning Nuremberg South and Munich East data centers, which are among most energy-efficient data centers in Europe.
Noris was facing increasingly sophisticated attacks on its infrastructure, including techniques to disguise known malware, and fileless attacks. Existing defenses, including antivirus, firewalls, intrusion prevention systems (IPS) and intrusion detection systems (IDS), were not sufficient to detect and prevent many of these attacks.
Following extensive research and a three-month test phase, the company deployed SentinelOne’s endpoint protection platform. The main criteria for selecting the solution were that unlike traditional signature-based security products, it is based on dynamic behavioral analysis techniques powered by machine learning. In addition, the solution supports all operating systems deployed in Noris data centers—Windows, OS X, and Linux derivatives.
Behavioral analysis means that even infections with unknown or stealthy malicious code can be identified and automatically blocked within a few seconds, by analyzing its execution behavior, before any damage occurs. Behavioral analysis techniques are constantly trained and continuously optimized using data about new threats.
Resource utilization was important for Noris’s data center operators. Some of the solutions evaluated required a lot of bandwidth for updates, and caused CPU peaks with resource-intensive scans, which impacted endpoint performance. Noris preferred a solution with a slim client and low memory and CPU utilization.
In this article I reviewed three case studies of real life organizations that implemented modern endpoint protection solutions. In summary, these organizations achieved three key benefits:
- Reduction in malware infection and re-infection, including from unknown and zero-day threats
- Reduced maintenance efforts due to automated isolation and remediation
- Improved end-user performance compared to legacy antivirus
I hope this will be of help in your organization’s journey towards a comprehensive endpoint protection solution.
Ilai Bavati is a technology writer and editor based in Tel Aviv. Ilai cover topics ranging from machine learning and cybersecurity to cloud computing and the Internet of Things. He is interested in the real-world application of emerging technologies, and I see our increasingly connected reality as both disruptive and potentially life-saving.
Ilai is a guest blogger. All opinions are his own.